Netscreen - Multiple destination NAT

L2 Linker

Netscreen - Multiple destination NAT

Hi,

 

I stumbled upon a small problem with Netscreen Destination NAT.

 

Netscreen supports multiple objects in the "Destination Adress"-field when doing destination NAT. Palo Alto only supports 1-to-1 Destination NAT.

 

The problem occurs when migration tool creates the rules the same way as Netscreen would, but when you push the policy you get error message:

 

 Error: nat rule 'test': Mismatch of destination address translation range between original address and translated address

    Error: Failed to parse nat policy

 

Here is an example:

palonetscreen.png

And here is an example of a rule that gets converted wrong by migration tool:

 

set policy id 1 from "internet" to "Untrust"  "Net_10.2.4.0" "192.168.70.3" "SSH" nat dst ip 10.200.200.200 permit log 
set policy id 1
set src-address "Net_10.2.1.0/29"
set src-address "Net_10_2_3.0/29"
set dst-address "192.168.70.1"
set dst-address "192.168.70.2"
set service "TCP_9000"
set service "TCP_9001"
set log session-init

 

Is it possible to get migration tool to split the rules by destination address, or if not maybe get a warning that this rule needs to be manually edited?

 

Big thanks so far!

L7 Applicator

Re: Netscreen - Multiple destination NAT

Thanks for the good explanation of the issue. We opened a bug and feature request. I will update this threat as soon we get something. Thanks

L2 Linker

hRe: Netscreen - Multiple destination NAT

Thanks, ill be looking out for it!

L7 Applicator

Re: hRe: Netscreen - Multiple destination NAT

Hotfix will be 3.3.1 to be released end of this week / begining of the next. Thanks

L2 Linker

Re: hRe: Netscreen - Multiple destination NAT

Awesome, thanks! 

L7 Applicator

Re: hRe: Netscreen - Multiple destination NAT

Fix just released, please try to update to 3.3.1 and if you can provide feedback if now its fixed or we need to do something else :-)

 

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!